Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
On VMware Horizon Cloud connector versions 2.0.0, 2.1.2, 2.2.0.0, 2.3.0.0, if the Kubernetes cluster certificate have already expired, then cloud connector services go into error status with the following message in viewproxyadpter.log: [ConnectionServersRefreshTask] Unable to refresh Connection Servers List java.lang.RuntimeException: Api call to query https://172.28.100.82:6443/api/v1/namespaces/hze-system/endpoints/hze-viewproxy is unsuccessful Any command using kubectl to interact with Kubernetes cluster would fail with the following exception: Command:kubectl get pods -A Response:Unable to connect to server: x509: certificate has expired or is not yet valid: current time 2022-12-21T18:39:172 is after 2022-12-15T04:26:052 Following log entries can be found under logs/hze-core/viewproxyadapter.log file of the connector appliance Unable to connect to server: x509: certificate has expired or is not yet valid: current time 2022-12-21T18:39:172 is after 2022-12-15T04:26:052
Horizon cloud connector deploys services on Kubernetes cluster created inside the VM. Kubernetes cluster by default, issues certificates which have an validity of 1 year. If a cloud connector VM is more than 1 year old, then the certificates would expire and cloud connector services would not be able to communicate and lose connectivity with cloud.
This issue has been fixed in Horizon Cloud Connector 2.4 and later releases.
Cloud connector version 2.0.0.0 and above:1) SSH to Cloud Connector VM using ccadmin account and switch the context to root (sudo -i)2) Execute the following command which will display certificate expiry dates: /opt/vmware/sbin/kube-certs.sh -l 3) Execute the following command to renew Cluster certificates (This will extend certificate validity by 1 year): /opt/vmware/sbin/kube-certs.sh -u 4) Reboot VM once the renewal process completes. If the cluster comprises of Primary and Worker nodes, reboot both VMs.5) Verify that all the Kubernetes services are up and running by executing the following command on primary VM. kubectl get pods -A Note: It may take anywhere between 2 to 3 mins for all services to initialize. Proceed to next step once all services are in ready state. 6) Log in to the Horizon Cloud Connector configuration portal and use the Reconfigure workflow ( This step is only needed if the certificates had already expired)Note: Certificate renewal commands needs to be executed only on Primary node. The Primary node shares certificates across all the nodes in cluster. Hence execution of script specified in this article is required only on Primary node.